UNDERSTANDING SNMPv3

Similar documents
technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

RUNNING A HELPDESK CONTENTS. using HP Web Jetadmin

HP FutureSmart Firmware Device Hard Disk Security

HP Operations Orchestration Software

HP BladeSystem Management Pack version 1.0 for Microsoft System Center Essentials Troubleshooting Assistant

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

HP OpenView Internet Services. SNMP Integration with HP Operations Manager for Windows White Paper

HP JETADVANTAGE SECURITY MANAGER

HP StorageWorks MSL2024, MSL4048, and MSL8096 Tape Libraries firmware release notes. Firmware version 4.60 (MSL2024), 6.90 (MSL4048), 9.

HP OfficeJet Pro 276DW Scan to Network Folder and Digital Fax to Network Folder not working after firmware upgrade

ProCurve Manager Plus 2.2

HP Device Manager 4.6

Print Audit Facilities Manager Technical Overview

CA Spectrum and CA Performance Center

HP PCM Plus v4 Network Management Software Series

Network FAX Driver. Operation Guide

Configuring and Monitoring Citrix Access Gateway-Linux Servers. eg Enterprise v5.6

FTP Server Configuration

IMPRESSION COUNTING CONTENTS. in HP Web Jetadmin

HP Web Jetadmin IP Range Discovery

QuickSpecs. HP PCM Plus v4 Network Management Software Series (Retired) Key features

HP Insight Management Agents architecture for Windows servers

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Send to Network Folder. Embedded Digital Sending

HP Device Manager 4.7

HP A-IMC Firewall Manager

HP Software as a Service

How to manage non-hp x86 Windows servers with HP SIM

BACK UP, RESTORE, AND CLONE AN HP WEB JETADMIN INSTALLATION

HP ProtectTools Embedded Security Guide

HP ThinShell. Administrator Guide

HP E-PCM Plus Network Management Software Series

HP Imaging and Printing Security Best Practices

HP LaserJet Pro Devices Installing 2048 bit SSL certificates

HP IMC Firewall Manager

Security Advice for Instances in the HP Cloud

Configuring and Monitoring Citrix Branch Repeater

Sharing Pictures, Music, and Videos on Windows Media Center Extender

Synchronizing ProCurve IDM and Windows Active Directory

DISCOVERING DEVICES CONTENTS. using HP Web Jetadmin

HP Accessibility Guide

Integrating HP Insight Management WBEM (WMI) Providers for Windows with HP System Insight Manager

HP Education Services Course Overview

HP Device Manager 4.6

HP Software as a Service. Federated SSO Guide

TELNET CLIENT 5.11 SSH SUPPORT

HP ProLiant Cluster for MSA1000 for Small Business Hardware Cabling Scheme Introduction Software and Hardware Requirements...

HP LeftHand SAN Solutions

Configuring and Monitoring SiteMinder Policy Servers

Nokia E90 Communicator Using WLAN

Event Monitoring Service Version A Release Notes

Security. and HP Web Jetadmin Overview... 2

HP LeftHand SAN Solutions

HP LaserJet 4345 MFP Security Checklist 3/29/2006

BEST PRACTICES FOR MANAGING YOUR ASSETS

USING MANAGED PRINTER LISTS

HP Device Manager 4.7

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

HP PCM Plus v3 Network Management Software Series Overview

HP ThinPro. Table of contents. Connection Configuration for RDP Farm Deployments. Technical white paper

HP PDU Management Module Overview

Modem and Local Area Network

USB Secure Management for ProCurve Switches

AppPulse Mobile. Whitepaper: Overhead, Privacy, and Security. March 2016

SyncThru TM Web Admin Service Administrator Manual

HP Commercial Notebook BIOS Password Setup

Management, Logging and Troubleshooting

HP Business Notebook Password Localization Guidelines V1.0

QLIKVIEW MOBILE SECURITY

HP Web Jetadmin Database Connector Plug-in reference manual

Bluetooth for Windows

Firmware security features in HP Compaq business notebooks

HP Operations Orchestration Software

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

HP AppPulse Active. Software Version: 2.2. Real Device Monitoring For AppPulse Active

HP Prior Software Version Support HP Mature Software Product Support

HP Priority Services. Priority Access

Windows Server Update Services 3.0 SP2 Step By Step Guide

HP Data Protector Integration with Autonomy LiveVault

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Go Wireless. Open up new possibilities for work and play

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

How to configure 802.1X authentication with a Windows XP or Vista supplicant

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

HP Access Control Express Installation Guide

Intel vpro Provisioning

Using Device Discovery

QuickSpecs. Overview. Compaq Remote Insight Lights-Out Edition

Traffic monitoring with sflow and ProCurve Manager Plus

Minimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized.

Software Version 1.0 ConnectKey TM Share to Cloud April Xerox ConnectKey Share to Cloud User / Administrator s Guide

Chapter 3 Safeguarding Your Network

Rapid Assessment Key v2 Technical Overview

HP ThinPro. Table of contents. Enabling RemoteFX for RDP. Technical white paper

HP BladeSystem c-class Virtual Connect Support Utility User Guide

How to Setup and Configure ESXi 5.0 and ESXi 5.1 for OpenManage Essentials

Administering Windows Server 2012 (20411) H4D01S

Transcription:

UNDERSTANDING SNMPv3 and HP Web Jetadmin CONTENTS Overview... 2 Introduction to SNMPv3... 2 Using HP Web Jetadmin to manage SNMPv3 settings... 2 HP Web Jetadmin and credentials... 3 Discovering SNMPv3 devices... 4 SNMPv3 passphrases vs. keys... 5 Notes... 6 Troubleshooting... 6

OVERVIEW SNMPv3 (Simple Network Management Protocol, version 3) is a secure management protocol that is used to encrypt data and require user authentication on devices being managed from within applications like HP Web Jetadmin. HP Web Jetadmin is fully compatible with SNMPv3, but there are some administrative best practices and rules that should be understood and followed. This document relates to HP Web Jetadmin 10.x versions. HP recommends keeping your HP Web Jetadmin installation at the latest version available at www.hp.com/go/webjetadmin. More information can be found by visiting the HP Web Jetadmin support page. INTRODUCTION TO SNMPV3 SNMP is the primary means HP Web Jetadmin uses to communicate with and manage devices. As the administrator manages devices with HP Web Jetadmin features, HP Web Jetadmin communicates with the devices through functions known as Set and Get operations. Of course, this description is merely preliminary because the SNMP communication protocol is based on a very structured and mature RFC (Request for Comment, Internet Engineering Task Force). Basic SNMP will be called SNMPv1/2 in this document. SNMPv3 provides a layer of security for device management communication, including cryptographic authentication and data confidentiality (encryption). SNMPv1/2 transmits all data on the network, including data that might be sensitive, in plain text. This means that tools such as network sniffers may be used to monitor the SNMPv1/2 transmissions, such as Get and Set SNMP Community Names. SNMPv3 adds data encryption, which reduces the risk of data being sniffed from the network. Also, with SNMPv3, authentication between the device and HP Web Jetadmin is enforced. SNMPv1/2 Get and Set Community Names are passed through the network as clear text characters. In practice, these items have been used as passwords, but actually provide only limited security value. In environments with elevated security risks, SNMPv3 should be given serious consideration over the less secure Get and Set items. SNMPv3 credentials make sniffing data very difficult, which adds security to device management communication. USING HP WEB JETADMIN TO MANAGE SNMPv3 SETTINGS All HP devices that are capable of management via applications such as HP Web Jetadmin are set to SNMPv1/2 by default. In order to enable SNMPv3, the device must first be configured by an application such as HP Web Jetadmin. In Figure 1, a device is set up for SNMPv3 using the SNMP Version Access Control configuration option in HP Web Jetadmin. Note that in this figure only one device (within a device list) is selected for the SNMPv3 setup. Best practices When using HP Web Jetadmin to manage SNMPv3 devices, HP Web Jetadmin should be the only configuration agent used in setting up SNMPv3. Notes later in this document show the complexities that exist when SNMPv3 settings are managed from outside of HP Web Jetadmin. Figure 1 SNMP setup (single device) 2

To communicate with an SNMPv3 device, HP Web Jetadmin must have the following elements: User Name The account identity allowed access via SNMPv3. Example: admin1. Authentication Passphrase The first secure string that is stored securely to the device and that must be validated at each SNMPv3 communication from this point forward. The item is used to allow the device to authenticate the sending entity (HP Web Jetadmin) and the communication being sent. Example: oncewasasmallcat. Privacy Passphrase The second secure string that is stored securely to the device and that must be validated at each SNMPv3 communication from this point forward. This item is used to encrypt the communication being sent to and from the device. Example: oncewasasmalldog. When SNMPv3 is enabled on the device, write-mode access via SNMPv1/2 is disabled and configuration of device parameters is only possible through SNMPv3. SNMPv3 settings are used to either completely disable SNMPv1/2 communication or to disable write-mode, leaving SNMPv1/2 readable by any managing agent, such as another installation of HP Web Jetadmin. The setting shown in Figures 1 and 2, SNMPv1 read-only, can be used to allow read-access. Some cases might require that SNMPv1 be completely disabled in order to protect all device data. This is possible by selecting the SNMPv1 disabled option. HP Web Jetadmin can be used to configure SNMPv3 on many devices at once. When the SNMP Version Access Control configuration option is displayed with multiple devices selected from a device list, HP Web Jetadmin displays blank values until the administrator adds values (credentials) to these fields. Figure 2 shows the SNMP Version Access Control configuration option as displayed by the HP Web Jetadmin Create Device Configuration Template wizard. In this case, a template is configured for storing SNMPv3 settings that can be applied to devices at a later time. Notice that there are three choices in this configuration item when it is displayed as a template or when multiple devices are selected from a device list: Enable SNMPv3 Modify SNMPv3 Disable SNMPv3 Templates can be applied directly to one or more devices, to a device group, and through a Group Policy. With a Group Policy, the template settings take effect when a device is added as a member of a device group or removed from a device group membership. A common practice with Group Policies is to set up an automatic group that applies these templates when HP Web Jetadmin automatically populates devices into groups based on group filter criteria. HP WEB JETADMIN AND CREDENTIALS In addition to the differences between SNMPv3 and SNMPv1/2, it is important for administrators to consider how HP Web Jetadmin interacts with Figure 2 SNMPv3 in the HP Web Jetadmin configuration template 3

devices that have credentials and security features set via the Credentials Store. Important points include: If a device is discovered using SNMPv3 or configured with SNMPv3 by HP Web Jetadmin, the mode of communication from that point forward includes SNMPv3. SNMPv3 credentials are stored uniquely in the HP Web Jetadmin Credentials Store. HP Web Jetadmin begins each communication session by retrieving these credentials and using them to both authenticate and communicate securely with the device. The Passphrase portion of SNMPv3 credentials are added to HP Web Jetadmin using character strings, such as: oncewasasmallcat. The HP Embedded Web Server (EWS) interface requires users to enter these as 16-byte hexadecimal strings. These two interfaces differ significantly. For more information, see SNMPv3 passphrases vs. keys on page 5. All SNMPv3 credentials remain in the Credentials Store until they are: No longer valid and then removed Changed by an administrator via HP Web Jetadmin Cleared from the Credentials Store by the administrator When HP Web Jetadmin no longer has a valid password in the Credential Store or when no valid credential value exists, HP Web Jetadmin prompts the administrator to add a valid credential through the interface shown in Figure 3. Adding credentials via the Needed Credentials dialogue is simple. After the credential enables communication with the device, HP Web Jetadmin stores it and continues using it as a seamless background operation. For more information about the Credentials Store, see the Security and HP Web Jetadmin white paper. This white paper is available from the HP Web Jetadmin support page (in English). DISCOVERING SNMPv3 DEVICES Figure 3 HP Web Jetadmin requires SNMPv3 credentials The HP Web Jetadmin instance that performs discovery on a network might not always be the SNMPv3 configuration agent. It is possible for devices to be initially configured via one HP Web Jetadmin instance, while a new instance discovers devices. In any case, HP Web Jetadmin must have SNMPv3 discovery enabled or it will not discover devices configured in SNMPv3. To enable HP Web Jetadmin to discover and manage devices using SNMPv3, go to Tools > Options > Device Management > Device Discovery, enable Discover SNMPv3 devices, and click Apply. The system is now capable of discovering and managing SNMPv3 devices. Another aspect of discovering SNMPv3 devices is ensuring that the credential is included in the discovery itself. HP Web Jetadmin needs the SNMPv3 credential for Figure 4 Adding SNMPv3 credentials to discovery 4

even basic management communication, beginning with proper discovery. A few options exist to bring about a successful SNMPv3 device discovery. First, the discovery interface itself has a tool dedicated to adding credentials to a specific discovery or to a discovery template. Figure 4 shows the device discovery settings interface that allows adding SNMPv3 and other credentials. This pane is available as live discoveries are run or in the Create Discovery Template Figure 5 Global SNMPv3 Credentials wizard when you want to store discovery settings. Another way to ensure SNMPv3 credentials are included in a discovery is to add them to the Global SNMPv3 Credentials feature (Figure 5). This feature can be understood as a global try-list. Any time HP Web Jetadmin encounters a device with a credentials set, it first looks into the Credentials Store. If nothing is found in the Credentials Store, it attempts whatever the administrator has configured within the global feature. The global feature is not restricted to SNMPv3 credentials. Any of the other credential types, such as SNMP Community Names or File System Password, can be added. NOTE HP Web Jetadmin discoveries are slowed when many credentials are added to the Global SNMPv3 Credentials feature. For each device that lacks credentials in the Credentials Store, HP Web Jetadmin must go through each global value until it either finds a working credential or exhausts the list. SNMPv3 PASSPHRASES VS. KEYS The HP EWS management interface allows access to many device settings. Both device and HP Jetdirect Best practices management settings can be viewed and adjusted from HP EWS. While you might expect these to be identical Use the Global SNMPv3 Credentials to the settings found in the HP Web Jetadmin feature to ensure that HP Web Jetadmin configuration interface, this is not always the case. For has enough information to discover example, HP EWS shows SNMPv3 credentials as your SNMPv3-protected devices. Limit hexadecimal keys, while HP Web Jetadmin has the values you add to the global feature credentials configured with passphrases. This is a to avoid discovery performance issues. significant difference. HP does not recommend managing SNMPv3 from both interfaces on the same device or even within the same. When the SNMPv3 credential is configured from HP Web Jetadmin, the user adds a user identity and two passphrases to the interface. The passphrases are designed with human usability in mind and can be simple, easy-to-remember strings of letters and/or numbers. (The example given on page 3 was oncewasasmallcat.) When HP Web Jetadmin sets up the device for SNMPv3 security, it transposes that phrase into a hex key using a secure hash technique of MD5 or DES, depending on the phrase. This is done in order to make it nearly impossible to derive the user passphrases from network utilities. So, while HP Web Jetadmin allows the user to work with friendly passphrases, the SNMPv3 communication between HP Jetdirect and HP Web Jetadmin uses very cryptic strings that prevent tampering with devices and data. Best practices If HP Web Jetadmin is initially used to configure SNMPv3 on devices, HP Web Jetadmin must always be used instead of HP EWS. Administrators can continue to use HP EWS as a management interface with the exception of SNMPv3 settings. 5

The HP EWS interface, however, requires the user to enter hexadecimal keys rather than passphrases. For security reasons, it does not disclose the key values that are currently stored on the device. This means it is extremely difficult to manage SNMPv3 credentials from both HP EWS and HP Web Jetadmin. Therefore, when HP Web Jetadmin is the primary tool for managing a fleet, HP highly recommends that you use HP Web Jetadmin exclusively for managing SNMPv3 settings as well. Another big difference between the two SNMPv3 configuration interfaces is the SNMPv1/2 read-write setting. Figure 6 shows a device being configured by HP EWS. Notice that it is possible to leave SNMPv1/2 read-write enabled. HP Web Figure 6 Device configuration via HP EWS Jetadmin does not allow or recognize this kind of setup (see Figure 1 or Figure). When HP Web Jetadmin is used to configure SNMPv3 on the device, it always disables SNMPv1/2 write-access, either leaving SNMPv1/2 access read-enabled or disabling it altogether. This protects the fleet from unauthorized SNMPv1/2 communication and acts as an extra security step to guard sensitive data on devices. NOTES Administrators need to know about many facets of device security, including protocols, interfaces, firmware, and more. HP offers many documents regarding device security, which can be found on the HP Web Jetadmin support page. In addition to SNMP, HP Web Jetadmin also uses the HTTPS protocol to manage some device settings. This is especially true for many newer HP devices. HTTPS communication in this case is encrypted and prevents plain text monitoring and network sniffing. For more information, see Introduction to SNMPv3 on page 2. The Security and HP Web Jetadmin white paper, which is available on the HP Web Jetadmin support page (in English), outlines this protocol in more detail. In general, HP Web Jetadmin should be used to configure all device security settings. The wide range of settings are best managed with templates, which can save administrators time by reducing repetitive tasks. TROUBLESHOOTING Best practices When using HP Web Jetadmin templates to configure device security, keep security settings in separate templates. Security settings may have to be rotated on a periodic basis according to policy. Keeping these templates separate makes this easier to manage. HP Web Jetadmin performance can become noticeably slow when managing devices configured with SNMPv3. All HP Web Jetadmin versions can process alerts using polling and SNMPv1/2 traps. SNMPv3 traps are supported from HP Web Jetadmin 10.4 and later. 6

When a device discovered with SNMPv1/2 is converted to SNMPv3, a new discovery might be required to re-register that device as configured with SNMPv3. Issue: HP Web Jetadmin configuration keeps prompting for SNMPv3 credentials when a device does not seem to be SNMPv3. Solution: The device might have been configured for SNMPv3 from the device s HP EWS interface. This is not supported. While HP Web Jetadmin always disables SNMPv1/2 writeaccess, HP EWS allows the configuration of simultaneous SNMPv1/2 and SNMPv3 read-write access. This is usually the root of the problem. Copyright 2015 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. c01941786en, Rev. 3, October 2015 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information